© Grant Thornton 


An instinct for growth: 


Information Commissioner's Office 


Internal Audit 2013-14: Payroll and Pensions review 


Last updated 11 February 2014 


For action Director of Corporate Services Fieldwork completed 24 January 2014 


For information | Head of Organisational Development Draft report issued 7 February 2014 
For information | Audit Committee 7 February 2014 
Final report issued 11 February 2014 


This report is confidential and is intended for use by the management and Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, to any third 
party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying on this report does so entirely at its own risk. We accept no 
liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, however such loss or damage 1s caused. 


It is the responsibility solely of the ICO management to ensure that there are adequate arrangements in place in relation to risk management, governance and control. 


Information Commissioner's Office | Internal Audit | Payroll and Pensions review 1. Executive summary 
2. Detailed Findings 


Appendices 
1 Executive Summary 
1.1 Background Pensions 
The ICO outsources its payroll function to Capita, who have recently ¢ The ICO may not have robust controls in place and operating 
relocated the delivery of Capita payroll services, resulting in a new set of regarding the enrolment of staff pension schemes and the application 
staff being responsible for processing the [CO's payroll. of selections to the payroll; and 
Given these changes, it was agreed that the review of HR and staff ° Amendments to pension scheme selections (including leavers), and any 
development included in the 2013-14 Internal Audit plan would be impact on payroll deductions may not be applied correctly. 


changed to a review of the [CO's payroll and pensions controls, focussing 
particularly on set up of and amendments to core data, as well as the level 
of management information available. 


Further details on responsibilities, approach and scope are included in 


Appendix A. 


Payroll expenditure is around £12 million per annum, representing around 
60% of the ICO's total expenditure. The ICO is considering a move 
towards online payslips, however this is currently only in the early stages of 


consideration internally, and at present no discussions have been held with | Overall assessment 


Capita. We have identified matters which, if resolved, will helo management fulfil 
their responsibility to maintain a robust system of internal control. 


1.3 Overall assessment 
We have made an overall assessment of our findings as: 


1.2 Scope 


Our review involved an assessment of the following risks: . . . . 
Please refer to appendix B for further information regarding our overall 


assessinent and audit finding ratings. 


Payroll 
e The ICO may not have robust controls (including appropriate es 
segregation of duties and authorisations) in place and operating 1.4 Key findings 


Risk / Process l -O 
Amending staff on the payroll - - 7 - 


regarding adding, amending or removing staff from the payroll; 
¢ Controls may not include appropriate arrangements to check changes 


i i i i Bea Changes to payroll standin 
to standing data or flexible amounts prior to thetr communication to data j as i - 1 j : 
Capita for processing or reconciliation of changes made once Monitoring the payroll : - r - 
processed; and Enrolment of staff pension i i i i 
e The ICO may not have appropriate arrangements to monitor the schemes 

roll Amending pension scheme g g g g 

payrol. selections 
Total - 1 1 - 
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The following finding was rated as medium priority: 


e At present there are no exception reports provided by Capita to 
highlight changes made to bank details. Though there are mitigating 
controls in place to prevent the addition of a fake employee with 
fraudulent bank details, review of an exception report if changes to 
bank details would provide the ICO with greater assurance that only 
legitimate changes have been made. 


Further details of our findings and recommendations are provided in 
Section 2. 


1.5 Basis of preparation 
Whilst we report by exception, we draw attention to the following matters 
in addition to the issues raised within the findings section of this report. 


Payroll 

The ICO does not have access to the Capita payroll system. A payroll 
workbook (an excel spreadheet) is used by the ICO to record all required 
changes to the monthly payroll, and these are subsequently processed by 
Capita. 


As part of our review we completed sample testing of starters, leavers, pay 
amendments and changes to standing data to confirm that all changes had 
appropriate supporting documentation, had been recorded in the payroll 
workbook and had subsequently been processed by Capita per the relevant 
monthly payslips. We reviewed monthly and individual pay files for all 
amendments in the sample, covering payrolls from April to December 
2013. We identify the key controls below: 


e Changes to payroll standing data are required directly from the 
member of staff themselves. This can be either via an email from the 
staff member's secure ICO email account or via a signed paper form 
delivered in person to HR. 

e The Head of Organisational Development reviews and approves 
additions to the monthly payroll workbook. It 1s then sent to Capita 
for processing, together with copies of documentation to support the 
changes requested. As part of processing the changes, Capita are relied 
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upon to only make changes per the workbook that are accompanied by 
accurate supporting documentation. 

e On return of the first run of the payroll, all changes requested per the 
workbook are checked to processed payslips for accuracy by the Head 
of Organisational Development. 

e Following authorisation of the final payroll by the Head of 
Organisational Development, the Head of Finance reviews the payroll 
before approving the total payment amount for release to Capita. This 
involves confirming that all staff payments agree to known starters and 
leavers, and reviewing and investigating variances on an individual 
basis. 

e The payroll is compared to budget on a monthly basis by the Head of 
Finance, and reported on to Management Team in the monthly finance 
reports. 


Pensions 

As members of the Civil Service, ICO employees join a Civil Service 
pension scheme which differs depending on their employment history. 
Standard Civil Service pensions selection forms and guidance are provided 
to staff on joining the ICO, to either explain the options for a first-time 
joiner or identify the relevant scheme for a new starter with an historic 
Civil Service pension. 


e Pensions selections for new starters are recorded by the staff member 
on the Civil Service selection form, documented in the payroll 
workbook by HR, and are subsequently checked to payslips by the 
Head of Organisational Development following processing by Capita. 
The same checks are completed where a request to change pensions 
scheme is made. For the sample of new starters we confirmed that the 
pension scheme identified in the pensions questionnaire had been 
correctly recorded on the payroll workbook and subsequently 
processed per the payslip. A sample of pensions amendments were 
included in our testing of pay amendments. 
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e Where a member of staff leaves, the ICO is required to inform My 
CSP, an external Civil Service pensions function, who will take the 
relevant next steps with the member of staff. For the sample of 
leavers, we confirmed that a notification of the leaver had been sent to 
My CSP in all instances. 


1.6 Elsewhere in the sector 

We detail below other ways of working and commonly occurring issues 
that we have experienced during similar types of reviews for other public 
bodies. The following does not necessarily purport to be good practice but 
is included for your information and consideration. 


e Where possible, other organisations have one member of HR who 
deals with the completion of new starter or leaver paperwork, and a 
separate member of staff who enters the details into the payroll system, 
giving additional segregation of duties. 


1.7 Acknowledgement 


We would like to take this opportunity to thank the staff involved for their 
co-operation during this internal audit. 
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2 Detailed Findings 


2.1 Controls may not include appropriate arrangements to check changes to payroll standing data or flexible payments to 
staff prior to their communication to Capita for processing, or reconciliation of changes made once processes 


Changes to staff bank details 


Finding and Implication Proposed action Agreed action (Date / Ownership) 


There are exception reports produced by Capita which The ICO should investigate with Capita the Agreed action 
highlight changes made to the payroll in the month (including possibility of obtaining an exception report on 
and staff added), however there is not an exception report for bank detail changes. 

changes to bank details. Therefore while the Head of 
Organisational Development is able to confirm that all changes 
requested in the workbook have been made, it is not possible 
to identify any unauthorised changes made. 


Capita payroll have been asked to produce a 
If this is possible, it should be used by the monthly report of changed bank details. 
Head of Organisational Development to review 

bank details changes prior to authorisation of Date Effective: 

the final payroll. 


This risk may be mitigated by the fact that exception reports 
identify any new staff added, and therefore the only 

unauthorised bank detail changes that could be made are to 
change those of a legitimate staff member. Owner: 


February 2014 


The availability of an exception report highlighting changes to 
bank details however would provide additional assurance over 
the risk of any illegitimate or fraudulent changes to bank 
details being made. 


Mike Collins 
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2.2 The ICO may not have appropriate arrangements to monitor the payroll 


A 


Finding and Implication Proposed action Agreed action (Date / Ownership) 


Monthly payroll amendments are added to the payroll The ICO should produce a monthly payroll Agreed action 

workbook by HR staff. Checks to supporting documentation checklist, which documents the key stages in the 

are completed by the Head of Organisational Development payroll approval process and the required A checklist for the manual payfile has been 
prior to sending the workbook to Capita for processing, and checks to be undertaken. produced. This details the checks required and 


further checks are made on the accuracy and completeness actions needed along with confirmation of who 
of processed data before the final payroll is authorised. dle SAONA Decne ANG BALEG IOT GACA ScD e d hem ý 
relevant stage of the process, and filed with the as completed tnem. 
monthly pay file as evidence of the checks 
completed. Date Effective: 


Documenting the payroll approval process 


This process is not documented however, nor are the 
various checks formally signed off as completed. The only 
documentary evidence of these checks is in the form of 
amendments returned to Capita after review of the 
processed payroll. Should there be no further processing 
required however, then there is no evidence that the monthly 
checks have been undertaken. 


February 2014 


Owner: 


Through our testing of additions and amendments to 
monthly payrolls, we found no issues with the accuracy of 
added or changed data. Further, we were able to evidence 
that where further processing had been required by Capita, 
that such additional work had been identified by Head of 
Organisational Development as a result of his checks. 


Mike Collins 


Without having a clearly documented payroll process, there 
is a risk that should the Head of Organisational Development 
be unavailable, key checks of the accuracy of the payroll 
may not be completed, resulting in incorrect or inappropriate 
payments made by the ICO. Further, a lack of formal sign off 
to evidence completion of these checks increases the risk of 
them not being completed, or not being completed in full. 
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A Internal audit approach 


Approach 

Our role as internal auditor to a Public Body is to provide an independent 
and objective opinion to the Accounting Officer on risk management, 
control and governance processes, by measuring and evaluating their 
effectiveness in achieving the organisation's agreed strategic objectives. 


Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards (2013) and the Auditing 
Practices Board’s ‘Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). In addition, we comply in all material respects with other 
Government guidance applicable to Public Bodies and have had regard to 
the HM Treasury guidelines on effective risk management (the ‘Orange 
Book’). 


As part of our 2013-14 Audit Plan, we agreed with the Audit Committee 
and management that we should carry out a review of the ICO's 
arrangements for managing credit and debit card payments in ICE, to 
further inform our ongoing understanding of the ICO’s key internal 
control activities. 


Our aim in completing this audit was to ensure that the ICO has 
appropriate arrangements in place to identify, manage and report on risk. 
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We achieved our audit objectives by: 


e Walking through both the payroll and pensions processes to gain an 
understanding of the arrangements in place; 

e Reviewing key process documents that support the arrangements in 
place; 

e Testing a sample of specific processes, including payroll starters, 
leavers, amendments and pensions starters, leavers and amendments to 
assess their operation; 

e Reviewing the payroll and pensions management information available 
as well as any checks carried out on its completeness and accuracy. 


>] 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 


Responsibilities 


The Information Commissioner acts through his Board of Management 
and the Information Commissioner's Office ("ICO") discharges his 
obligations. Therefore references to the Information Commissioner and 
the ICO in this report relate to one and the same party. 


It is the responsibility of the Information Commissioner to ensure that the 
ICO has adequate and effective risk management, control and governance 
processes. 
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HM Treasury's Corporate Governance in Central Government 
Departments (2011) states that boards of Public Bodies should determine 
the nature and extent of the significant risks it is willing to take in 
achieving its strategic objectives. The Board should therefore maintain 
sound risk management and internal control systems and should establish 
formal and transparent arrangements for considering how they should 
apply the corporate reporting and risk management and internal control 
principles and for maintaining an appropriate relationship with the 
organisation's auditors. 


Please refer to our letter of engagement for full details of responsibilities 
and other terms and conditions. 


Scope 
Our review involved an assessment of the following risks: 


Payroll 

e The ICO may not have robust controls (including appropriate 
segregation of duties and authorisations) in place and operating 
regarding adding, amending or removing staff from the payroll leading 
to inappropriate payments or failure to pay the correct amount due to 
staff; 

¢ Controls may not include appropriate arrangements to check changes 
to standing data or flexible amounts prior to thetr communication to 
Capita for processing or reconciliation of changes made once 
processed, leading to an incomplete or inaccurate payroll; and 

e The ICO may not have appropriate arrangements to monitor the 
payroll, resulting in movements in the monthly payroll not being 
identified and validated or remediated as appropriate. 


Pensions 

e The ICO may not have robust controls in place and operating 
regarding the enrolment of staff pension schemes and the application 
of selections to the payroll leading to the unidentified enrolment of 
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staff into inappropriate schemes and/or incorrect deductions being 
taken from their pay; and 

e Amendments to pension scheme selections (including leavers), and any 
impact on payroll deductions may not be applied correctly, resulting in 
inappropriate scheme selection and/or incorrect deductions being 
taken from their pay. 


Additional information 


Client staff 
The following staff were consulted as part of this review: 


e Michael Collins, Head of Organisational Development 
e Andrew Cryer, Head of Finance 
e Richard Norman, Finance Manager 


Documents received 
The following documents were received during the course of this audit: 


e Access to view and physically verify evidence in 2013-14 monthly pay 
files and payroll workbooks was provided during the course of the 
audit. No copies of staff payroll information were taken. 


Locations 
The following locations were visited during the course of this review: 


e The Information Commissioner's Office, Wilmslow 
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B Overall assessment and audit issues ratings 


Overall assessment 


aan enma o Ol 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. This is summarised in the table below. 


CO Cid Ra 


Key control not designed or operating effectively 

Potential for fraud identified 

Non compliance with key procedures / standards 

Non compliance with regulation 

Impact is contained within the department and compensating 
controls would detect errors 

Possibility for fraud exists 

Control failures identified but not in key controls 

Non compliance with procedures / standards (but not resulting in key 
control failure) 


eure a f l l l e Minor control weakness 
PROW Findings that identify non-compliance with established procedures. e Minor non compliance with procedures / standards 


Information for department management 
Control operating but not necessarily in accordance with best 
practice 


Findings that are fundamental to the management of risk in the business 
area, representing a weakness in control that requires the immediate 
attention of management 


Important findings that are to be resolved by line management. 


Items requiring no action but which may be of interest to management or 
best practice advice 
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